Wireshark-dev: Re: [Wireshark-dev] (New to Wireshark) How does wireshark determine what protoco
From: Justin Seto <jseto@xxxxxxxx>
Date: Mon, 15 Oct 2007 09:04:42 -0400
Thank you for the response,

We are connecting over port 5494.  I believe this has to do with a
Sql server we are using.  I will investigate this possibility.

Justin

-----Original Message-----
From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Stephen Fisher
Sent: October 12, 2007 6:34 PM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] (New to Wireshark) How does wireshark determine what protocol is being used?

On Fri, Oct 12, 2007 at 05:16:08PM -0400, Justin Seto wrote:

> My company is using the Microsoft C++ standard implementation of TLS,
> i.e. plugging in the module, to handle SSL connections. When I use
> wireshark to capture data, it does not detect the SSL packets.
> However, when I read the raw data in the TCP packet, I can see the TLS
> headers in the first bytes of the data payload.  Furthermore, there
> seems to be an exchange of certificates.
>
> When I connect to an SSL enabled site over a web browser I can scope
> TLS packets.  I would like to see the same thing appear when I scope
> packets from my program.  My first question is: how does wireshark
> determine whether a packet is an SSL packet?

Is your company's program using a standard SSL port?  Wireshark detects
SSL on at least ports 636 (ldap over SSL), 993 (imap over SSL), and 995
(pop over SSL).  There is a default setting in the HTTP dissector's
preferences to decode port 443 as HTTP over SSL.


Steve

_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev